CN112511351A - Security situation prediction method and system based on MES identification data intercommunication system - Google Patents
Security situation prediction method and system based on MES identification data intercommunication system Download PDFInfo
- Publication number
- CN112511351A CN112511351A CN202011388034.4A CN202011388034A CN112511351A CN 112511351 A CN112511351 A CN 112511351A CN 202011388034 A CN202011388034 A CN 202011388034A CN 112511351 A CN112511351 A CN 112511351A
- Authority
- CN
- China
- Prior art keywords
- situation
- threat
- value
- data
- mes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000004927 fusion Effects 0.000 claims abstract description 41
- 230000002159 abnormal effect Effects 0.000 claims description 41
- 238000007781 pre-processing Methods 0.000 claims description 16
- 238000013527 convolutional neural network Methods 0.000 claims description 15
- 238000013210 evaluation model Methods 0.000 claims description 15
- 238000000605 extraction Methods 0.000 claims description 8
- 238000010606 normalization Methods 0.000 claims description 8
- 238000005516 engineering process Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 238000003066 decision tree Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000010485 coping Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000003058 natural language processing Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000007635 classification algorithm Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
- H04L41/044—Network management architectures or arrangements comprising hierarchical management structures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
本发明涉及一种基于MES标识数据互通系统的安全态势预测方法及系统。该方法包括获取MES标识数据互通系统的安全态势评估模型;根据安全态势评估模型提取企业节点层中每个企业节点的网络安全态势要素;根据网络安全态势要素确定每个企业节点的态势威胁值;根据安全态势评估模型,采用自下而上以及逐层融合的策略,对每个企业节点的态势威胁值进行数据融合,得到MES标识数据互通系统的整体态势威胁值;根据设定日期内的所述整体态势威胁值以及所述自回归移动平均模型确定整体态势威胁预测值。本发明能够准确定位MES标识数据互通系统中的安全漏洞,并实现对系统中的安全态势评估,从而帮助安全管理人员制定有效的防护方案。
The invention relates to a security situation prediction method and system based on an MES identification data intercommunication system. The method includes acquiring a security situation assessment model of the MES identification data interworking system; extracting network security situation elements of each enterprise node in the enterprise node layer according to the security situation assessment model; determining the situational threat value of each enterprise node according to the network security situation elements; According to the security situation assessment model, the bottom-up and layer-by-layer fusion strategy is adopted to fuse the situational threat value of each enterprise node to obtain the overall situational threat value of the MES identification data exchange system; The overall situational threat value and the autoregressive moving average model are used to determine the overall situational threat prediction value. The invention can accurately locate the security loopholes in the MES identification data intercommunication system, and realizes the assessment of the security situation in the system, thereby helping the security management personnel to formulate an effective protection scheme.
Description
Technical Field
The invention relates to the technical field of network security situation perception, in particular to a security situation prediction method and a security situation prediction system based on an MES identification data intercommunication system.
Background
A Manufacturing Execution System (MES) is a management information System facing the inter-vehicle layer between the upper planning management System and the lower industrial control. With the rapid development of industrial internet technology, an identification data intercommunication system facing MES is also proposed immediately. The application of the system can realize interconnection and intercommunication of different MES systems of a plurality of enterprises, form a unified standard and provide a more universal data interaction solution for the MES systems.
At present, network security technologies applied in the MES system generally include firewall technologies, intrusion detection technologies, encryption technologies, network security scanning technologies, and the like, and these security technologies can ensure the security of information to a certain extent. However, with the development of industrial internet technology and the specialization of hacking technology, the traditional defense system cannot meet the requirement of security protection of the MES identification data intercommunication system. Nowadays, network security situation awareness technology is becoming a key topic for technicians to research. The network security situation awareness technology is based on security big data, and security assessment and risk prediction are carried out on the whole system from the perspective of the system overall situation. Therefore, how to more comprehensively and accurately evaluate the security situation of the whole system in order to meet the requirement of security protection of the MES identification data intercommunication system is a problem to be solved urgently.
Disclosure of Invention
The invention aims to provide a security situation prediction method and a security situation prediction system based on an MES identification data intercommunication system, which can accurately position security holes in the MES identification data intercommunication system and realize security situation evaluation in the system, thereby helping security management personnel to make an effective protection scheme.
In order to achieve the purpose, the invention provides the following scheme:
a security situation prediction method based on an MES identification data intercommunication system comprises the following steps:
acquiring a security situation evaluation model of the MES identification data intercommunication system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model is respectively a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom;
extracting network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data;
determining a situation threat value of each enterprise node according to the network security situation elements;
according to the security situation assessment model, performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to obtain an overall situation threat value of the MES identification data intercommunication system;
determining a global situation threat prediction value according to the global situation threat value in a set date and the autoregressive moving average model; the set date is 30 days.
Optionally, the determining a situation threat value of each enterprise node according to the network security situation element specifically includes:
preprocessing the original alarm information; the preprocessing comprises data normalization and data clustering;
determining the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks according to the preprocessed original alarm information;
determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks;
performing feature extraction on the original flow data to obtain features of the original flow data;
judging whether the original flow data is abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; the judgment result is that the original flow data is normal or the original flow data is abnormal;
counting the number of hosts with abnormal original flow data;
and determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
Optionally, the performing data fusion on the situation threat value of each enterprise node by using a strategy of fusion from bottom to top and layer to layer according to the security situation assessment model to obtain the overall situation threat value of the MES identification data interworking system specifically includes:
acquiring the weight of each enterprise node;
performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to corresponding weights to obtain the situation threat values of all nodes in the secondary node layer;
performing data fusion on the situation threat values of all secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node;
performing data fusion on the situation threat value of each top-level node to obtain the situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
Optionally, the determining a predicted value of the overall situation threat according to the overall situation threat value within the set date and the autoregressive moving average model further includes:
and feeding back the overall situation threat prediction value.
A security posture prediction system based on an MES identification data interworking system, comprising:
the security situation assessment model acquisition module is used for acquiring a security situation assessment model of the MES identification data intercommunication system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model is respectively a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom;
the network security situation element determining module is used for extracting the network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data;
the situation threat value determining module is used for determining the situation threat value of each enterprise node according to the network security situation elements;
the overall situation threat value determining module is used for performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to layer according to the security situation assessment model to obtain the overall situation threat value of the MES identification data intercommunication system;
the overall situation threat prediction value determining module is used for determining an overall situation threat prediction value according to the overall situation threat value in a set date and the autoregressive moving average model; the set date is 30 days.
Optionally, the situation threat value determining module specifically includes:
the preprocessing unit is used for preprocessing the original alarm information; the preprocessing comprises data normalization and data clustering;
the attack proportion determining unit is used for determining the proportion of the occurrence frequency of each attack type to the total number of attack occurrences according to the preprocessed original alarm information;
the threat level determining unit is used for determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks;
the characteristic extraction unit is used for extracting the characteristics of the original flow data to obtain the characteristics of the original flow data;
the original flow data judging unit is used for judging whether the original flow data are abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; the judgment result is that the original flow data is normal or the original flow data is abnormal;
the abnormal statistic unit is used for counting the number of abnormal hosts of the original flow data;
and the situation threat value determining unit is used for determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
Optionally, the overall situation threat value determining module specifically includes:
the weight acquisition unit of the enterprise node is used for acquiring the weight of each enterprise node;
the situation threat value determination unit of each node of the secondary node layer is used for performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to corresponding weights to obtain the situation threat values of each node of the secondary node layer;
the situation threat value determination unit of the top level node is used for carrying out data fusion on the situation threat values of all the secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node;
the overall situation threat value determining unit is used for carrying out data fusion on the situation threat value of each top-level node to obtain a situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
Optionally, the method further includes:
and the feedback module is used for feeding back the overall situation threat prediction value.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
according to the security situation prediction method and system based on the MES identification data intercommunication system, the situation threat value of each enterprise node is determined according to the network security situation elements, the security holes in the system are accurately positioned, the security situation in the system is evaluated, and therefore security management personnel are helped to make an effective protection scheme. And performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to layer according to the security situation assessment model to obtain the overall situation threat value of the MES identification data intercommunication system. And the safety situation assessment of a plurality of enterprise nodes is realized at the same time, and the safety situation assessment speed of the whole MES identification data intercommunication system is accelerated.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a schematic flow chart of a security situation prediction method based on an MES identification data interworking system according to the present invention;
FIG. 2 is a schematic structural diagram of a security situation prediction method based on an MES identification data interworking system according to the present invention;
FIG. 3 is a schematic diagram of a security situation assessment model of the MES tag data interworking system according to the present invention;
fig. 4 is a schematic structural diagram of a security situation prediction system based on an MES identification data interworking system according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a security situation prediction method and a security situation prediction system based on an MES identification data intercommunication system, which can accurately position security holes in the MES identification data intercommunication system and realize security situation evaluation in the system, thereby helping security management personnel to make an effective protection scheme.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Fig. 1 is a schematic flow diagram of a security situation prediction method based on an MES identification data interworking system according to the present invention, fig. 2 is a schematic structural diagram of a security situation prediction method based on an MES identification data interworking system according to the present invention, and as shown in fig. 1 and fig. 2, a security situation prediction method based on an MES identification data interworking system includes:
s101, acquiring a security situation evaluation model of the MES identification data intercommunication system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model comprises a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom.
S102, extracting network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data. The original alarm information is alarm information prompted by a safety protection system (such as a firewall or an intrusion detection system) existing in the MES system.
S103, determining the situation threat value of each enterprise node according to the network security situation elements.
S103 specifically comprises the following steps:
preprocessing the original alarm information; the preprocessing includes data normalization and data clustering.
And (4) carrying out normalization processing on the alarm information generated in the MES system of each enterprise by adopting a natural language processing method.
And inputting the normalized alarm information data by adopting a decision tree algorithm, gathering the data of the same attack type into one class, and finally outputting a plurality of data classes of different attack types.
And determining the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks according to the preprocessed original alarm information.
And determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks.
And performing feature extraction on the original flow data to obtain the features of the original flow data. Specifically, an extraction tool CICFlowMeter is used for extracting features. The CIC-IDS-2018 intrusion detection data set trains the convolutional neural network.
Judging whether the original flow data is abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; and the judgment result is that the original flow data is normal or the original flow data is abnormal.
And counting the number of abnormal hosts in the original flow data.
And determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
As a specific embodiment, determining a situation threat value of each enterprise node according to the network security situation element specifically includes:
step 1: collecting original alarm information: collecting original alarm information in an MES system of an enterprise node, wherein the original alarm information is alarm information prompted by a security protection system (such as a firewall or an intrusion detection system) existing in the MES system. Since the alarm information generated by different safety protection systems may be different, all the collected alarm information needs to be normalized. The information normalization processing process comprises the following steps: and 5 characteristic words are output by taking original alarm information generated in the system as input content and adopting a natural language processing method.
Defining the normalized alarm information format as xi={Type,SIP,SPort,DIP,DPort}。
Wherein i represents the serial number of the alarm information, Type represents the attack Type, SIP represents the IP of an intruder, SPort represents the port used by the intruder, DIP represents the IP of important sensitive data under attack, and DPort represents the port of important sensitive data under attack.
Step 2: alarm information clustering: the normalized alarm information may be divided into different data types according to attack types, so that data of the same attack type needs to be gathered into one type, and a plurality of data types of different attack types are generated. In the classification algorithm, the decision tree algorithm has the advantages of high speed and high accuracy, and in order to meet the real-time accuracy of safety protection, the decision tree method is adopted in the method for clustering the normalized alarm information.
And step 3: acquiring original flow data: the method comprises the steps of collecting flow information generated by each host in an enterprise node MES system in real time within one day by using a flow monitor in the system, taking the collected flow information as original data, extracting flow characteristics by using a flow characteristic extraction tool CICFlowMeter, and determining whether the flow is abnormal or not after outputting the flow information by a convolutional neural network (in the method, a CIC-IDS-2018 intrusion detection data set is used for training the convolutional neural network). If the flow data is abnormal, the flow data is saved as a boolean value 1, and if the flow data is normal, the flow data is saved as a boolean value 0.
And 4, step 4: single enterprise node network security posture assessment
And 5: defining P as a certain attack classThe number of pattern occurrences is a ratio of the number of occurrences of all attack types. And collecting clustered system alarm information generated in each day by taking the day as a time cycle. Counting the total times A of attack occurrence and the times B of attack types in the systemi. And then calculating the proportion P of the times of the certain attack type to the total times of the attack. The formula is as follows:
step 6: r is defined as the attack threat level. In the method, a CVSS (common vulnerability assessment system) is adopted to assess the attack threat level, and R is used for representing the threat degree of a certain attack type. The final score for the attack type is 10 max and 0 min. The loopholes with the scores of 7-10 are generally considered to be serious, the loopholes with the scores of 4-6.9 are middle-level loopholes, and the loopholes with the scores of 0-3.9 are low-level loopholes.
And 7: define N as an abnormal traffic condition. The abnormal flow condition in an MES system of a certain enterprise node in each day is counted, and the statistical formula is as follows:
f is the abnormal traffic condition in the MES system of the enterprise node. f is the abnormal traffic condition of each host in the MES system. When f is 0, the flow is normal; when f is 1, the flow rate is abnormal. n represents the number of hosts in the MES system.
And 8: and fusing safety situation elements. Fusing the security situation elements to obtain the threat degree e of a certain attack to an enterprise MES system in one day, and quantifying the threat degree as follows: e ═ P × R + F. The larger the value of e, the higher the threat level the MES system is exposed to.
As a specific embodiment, the security posture elements are fused to obtain a threat level e of a certain attack to an enterprise MES system in one day, and the threat level is quantized as: e ═ P × R + F. The larger the value of e, the higher the threat level the MES system is exposed to.
And S104, performing data fusion on the situation threat value of each enterprise node by adopting a bottom-to-top and layer-by-layer fusion strategy according to the security situation assessment model to obtain an overall situation threat value of the MES identification data intercommunication system.
S104, the weight of each enterprise node is obtained.
And performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to the corresponding weights to obtain the situation threat values of all nodes in the secondary node layer.
And performing data fusion on the situation threat values of all secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node.
Performing data fusion on the situation threat value of each top-level node to obtain the situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
S105, determining a predicted value of the overall situation threat according to the overall situation threat value in a set date and the autoregressive moving average model; the set date is 30 days.
Finally, the threat degree e of an enterprise MES system is accumulated by each attack type, so that the security situation of the enterprise MES system in one day can be obtained and is expressed as follows:
e represents the security posture of the enterprise node MES system, E represents the threat level of a single attack to an enterprise MES system, and n represents the number of all attack types.
And (5) counting the network security situation of the whole system. And fusing the network security situation of the MES system of each enterprise node by setting the weight of the network security situation of each enterprise node to obtain the network security situation of each secondary node, and repeating the steps to obtain the network security situation of the whole system. The calculation formula is
S represents the network security situation of each upper node obtained after data fusion, G represents the network security situation of each node of the layer, and n represents the number of all nodes of the layer to which a certain upper node belongs. For example, in the process of obtaining the network security situation of each node in the second node layer by performing data fusion on the network security situation of each node in the enterprise node layer, the network security situation E of each node in the enterprise layer is used as the network security situation G of each node in the local layer, and the network security situation of each node in the second node layer obtained after the data fusion is the network security situation S of each node in the upper layer in the formula. And finally, mastering the network security situation value of the whole system in one day through upward fusion layer by layer.
In order to help the security manager comprehensively grasp the security posture of the system and make a corresponding coping strategy according to the security posture, S105 further includes:
and feeding back the overall situation threat prediction value.
Fig. 4 is a schematic structural diagram of a security situation prediction system based on an MES identification data interworking system provided by the present invention, and as shown in fig. 4, the security situation prediction system based on the MES identification data interworking system provided by the present invention includes: the system comprises a security situation assessment model obtaining module 401, a network security situation element determining module 402, a situation threat value determining module 403, an overall situation threat value determining module 404 and an overall situation threat prediction value determining module 405.
The security situation assessment model acquisition module 401 is configured to acquire a security situation assessment model of the MES identification data interworking system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model comprises a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom.
The network security situation element determining module 402 is configured to extract a network security situation element of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data.
The situation threat value determination module 403 is configured to determine a situation threat value of each enterprise node according to the network security situation elements.
The overall situation threat value determining module 404 is configured to perform data fusion on the situation threat value of each enterprise node according to the security situation assessment model by using a bottom-to-top and layer-by-layer fusion strategy, so as to obtain an overall situation threat value of the MES identification data interworking system.
The overall situation threat prediction value determination module 405 is configured to determine an overall situation threat prediction value according to the overall situation threat value within a set date and the autoregressive moving average model; the set date is 30 days.
The situation threat value determination module 403 specifically includes: the system comprises a preprocessing unit, an attack proportion determining unit, a threat level determining unit, a feature extracting unit, an original flow data judging unit, an abnormal statistical unit and a situation threat value determining unit.
The preprocessing unit is used for preprocessing the original alarm information; the preprocessing includes data normalization and data clustering.
And the attack proportion determining unit is used for determining the proportion of the occurrence frequency of each attack type to the total number of attack occurrences according to the preprocessed original alarm information.
And the threat level determining unit is used for determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks.
The characteristic extraction unit is used for extracting the characteristics of the original flow data to obtain the characteristics of the original flow data.
The original flow data judging unit is used for judging whether the original flow data are abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; and the judgment result is that the original flow data is normal or the original flow data is abnormal.
The abnormal statistic unit is used for counting the number of abnormal hosts of the original flow data.
And the situation threat value determining unit is used for determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
The overall situation threat value determining module 404 specifically includes: the system comprises a weight obtaining unit of an enterprise node, a situation threat value determining unit of each node of a second-level node layer, a situation threat value determining unit of a top-level node and an overall situation threat value determining unit.
The weight acquiring unit of the enterprise node is used for acquiring the weight of each enterprise node.
And the situation threat value determination unit of each node of the secondary node layer is used for performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to the corresponding weights to obtain the situation threat values of each node of the secondary node layer.
And the situation threat value determination unit of the top level node is used for performing data fusion on the situation threat values of all the secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node.
The overall situation threat value determining unit is used for carrying out data fusion on the situation threat value of each top-level node to obtain a situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
In order to help security management personnel to comprehensively master the security situation of the system and make corresponding coping strategies, the security situation prediction system based on the MES identification data intercommunication system provided by the invention further comprises: and a feedback module.
And the feedback module is used for feeding back the overall situation threat prediction value.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.
Claims (8)
1. A security situation prediction method based on an MES identification data intercommunication system is characterized by comprising the following steps:
acquiring a security situation evaluation model of the MES identification data intercommunication system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model is respectively a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom;
extracting network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data;
determining a situation threat value of each enterprise node according to the network security situation elements;
according to the security situation assessment model, performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to obtain an overall situation threat value of the MES identification data intercommunication system;
determining a global situation threat prediction value according to the global situation threat value in a set date and the autoregressive moving average model; the set date is 30 days.
2. The method for predicting the security situation of the MES identification data interworking system according to claim 1, wherein the determining the threat value of the situation of each enterprise node according to the network security situation element specifically includes:
preprocessing the original alarm information; the preprocessing comprises data normalization and data clustering;
determining the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks according to the preprocessed original alarm information;
determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks;
performing feature extraction on the original flow data to obtain features of the original flow data;
judging whether the original flow data is abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; the judgment result is that the original flow data is normal or the original flow data is abnormal;
counting the number of hosts with abnormal original flow data;
and determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
3. The method for predicting the security situation of the MES identification data interworking system according to claim 1, wherein the data fusion of the situation threat value of each enterprise node is performed by using a bottom-up and layer-by-layer fusion strategy according to the security situation assessment model to obtain the overall situation threat value of the MES identification data interworking system, and specifically comprises:
acquiring the weight of each enterprise node;
performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to corresponding weights to obtain the situation threat values of all nodes in the secondary node layer;
performing data fusion on the situation threat values of all secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node;
performing data fusion on the situation threat value of each top-level node to obtain the situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
4. The method as claimed in claim 1, wherein the determining a global situation threat prediction value according to the global situation threat value within a set date and the autoregressive moving average model further comprises:
and feeding back the overall situation threat prediction value.
5. A security posture prediction system based on an MES identification data interworking system, comprising:
the security situation assessment model acquisition module is used for acquiring a security situation assessment model of the MES identification data intercommunication system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model is respectively a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom;
the network security situation element determining module is used for extracting the network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data;
the situation threat value determining module is used for determining the situation threat value of each enterprise node according to the network security situation elements;
the overall situation threat value determining module is used for performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to layer according to the security situation assessment model to obtain the overall situation threat value of the MES identification data intercommunication system;
the overall situation threat prediction value determining module is used for determining an overall situation threat prediction value according to the overall situation threat value in a set date and the autoregressive moving average model; the set date is 30 days.
6. The MES-ID-data-intercommunication-system-based security situation prediction system according to claim 5, wherein the situation threat value determination module specifically comprises:
the preprocessing unit is used for preprocessing the original alarm information; the preprocessing comprises data normalization and data clustering;
the attack proportion determining unit is used for determining the proportion of the occurrence frequency of each attack type to the total number of attack occurrences according to the preprocessed original alarm information;
the threat level determining unit is used for determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks;
the characteristic extraction unit is used for extracting the characteristics of the original flow data to obtain the characteristics of the original flow data;
the original flow data judging unit is used for judging whether the original flow data are abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; the judgment result is that the original flow data is normal or the original flow data is abnormal;
the abnormal statistic unit is used for counting the number of abnormal hosts of the original flow data;
and the situation threat value determining unit is used for determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
7. The MES-ID-data-intercommunication-system-based security situation prediction system according to claim 5, wherein the overall situation threat value determination module specifically comprises:
the weight acquisition unit of the enterprise node is used for acquiring the weight of each enterprise node;
the situation threat value determination unit of each node of the secondary node layer is used for performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to corresponding weights to obtain the situation threat values of each node of the secondary node layer;
the situation threat value determination unit of the top level node is used for carrying out data fusion on the situation threat values of all the secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node;
the overall situation threat value determining unit is used for carrying out data fusion on the situation threat value of each top-level node to obtain a situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
8. The MES-ID-data-interworking-system-based security posture prediction system of claim 5, further comprising:
and the feedback module is used for feeding back the overall situation threat prediction value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011388034.4A CN112511351B (en) | 2020-12-01 | 2020-12-01 | Security situation prediction method and system based on MES identification data intercommunication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011388034.4A CN112511351B (en) | 2020-12-01 | 2020-12-01 | Security situation prediction method and system based on MES identification data intercommunication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112511351A true CN112511351A (en) | 2021-03-16 |
| CN112511351B CN112511351B (en) | 2021-11-09 |
Family
ID=74969203
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011388034.4A Active CN112511351B (en) | 2020-12-01 | 2020-12-01 | Security situation prediction method and system based on MES identification data intercommunication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112511351B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407687A (en) * | 2021-06-04 | 2021-09-17 | 海南师范大学 | Natural language processing equipment based on artificial intelligence |
| CN114615016A (en) * | 2022-02-09 | 2022-06-10 | 广东能源集团科学技术研究院有限公司 | Enterprise network security assessment method and device, mobile terminal and storage medium |
| CN114771107A (en) * | 2022-06-22 | 2022-07-22 | 佛山豪德数控机械有限公司 | Ink jet numbering machine system of distinguishable sign indicating number position for intelligent manufacturing production line |
| CN115242423A (en) * | 2022-05-25 | 2022-10-25 | 中国交通信息科技集团有限公司 | Industrial internet security situation display system |
| CN119052160A (en) * | 2024-10-23 | 2024-11-29 | 证通股份有限公司 | Method, apparatus, storage medium and program product for secure routing |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104394015A (en) * | 2014-11-13 | 2015-03-04 | 河南理工大学 | Network security posture assessment method |
| CN107767015A (en) * | 2017-09-05 | 2018-03-06 | 南京国际船舶设备配件有限公司 | A kind of production system based on MES |
| CN108600155A (en) * | 2018-03-07 | 2018-09-28 | 上海洺淀智能科技有限公司 | A kind of convergence-level network security prevents the industrial control system invaded outside |
| CN109150868A (en) * | 2018-08-10 | 2019-01-04 | 海南大学 | network security situation evaluating method and device |
| US20190037012A1 (en) * | 2016-04-01 | 2019-01-31 | Innogy Innovation Gmbh | Production System Controllable by Means of a Peer-to-Peer Application |
| CN109508848A (en) * | 2018-08-08 | 2019-03-22 | 武汉理工光科股份有限公司 | Enterprise's production safety risk assessment and management system |
| CN109547431A (en) * | 2018-11-19 | 2019-03-29 | 国网河南省电力公司信息通信公司 | A kind of network security situation evaluating method based on CS and improved BP |
| CN110673555A (en) * | 2019-09-21 | 2020-01-10 | 苏州浪潮智能科技有限公司 | A kind of abnormal early warning method and system of fault phenomenon based on MES system |
-
2020
- 2020-12-01 CN CN202011388034.4A patent/CN112511351B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104394015A (en) * | 2014-11-13 | 2015-03-04 | 河南理工大学 | Network security posture assessment method |
| US20190037012A1 (en) * | 2016-04-01 | 2019-01-31 | Innogy Innovation Gmbh | Production System Controllable by Means of a Peer-to-Peer Application |
| CN107767015A (en) * | 2017-09-05 | 2018-03-06 | 南京国际船舶设备配件有限公司 | A kind of production system based on MES |
| CN108600155A (en) * | 2018-03-07 | 2018-09-28 | 上海洺淀智能科技有限公司 | A kind of convergence-level network security prevents the industrial control system invaded outside |
| CN109508848A (en) * | 2018-08-08 | 2019-03-22 | 武汉理工光科股份有限公司 | Enterprise's production safety risk assessment and management system |
| CN109150868A (en) * | 2018-08-10 | 2019-01-04 | 海南大学 | network security situation evaluating method and device |
| CN109547431A (en) * | 2018-11-19 | 2019-03-29 | 国网河南省电力公司信息通信公司 | A kind of network security situation evaluating method based on CS and improved BP |
| CN110673555A (en) * | 2019-09-21 | 2020-01-10 | 苏州浪潮智能科技有限公司 | A kind of abnormal early warning method and system of fault phenomenon based on MES system |
Non-Patent Citations (3)
| Title |
|---|
| MAHYAR AZARMIPOUR;HAITHAM ELFAHAM;CASPAR GRIES;TOBIAS KLEINERT;U: ""A Service-based Architecture for the Interaction of Control and MES Systems in Industry 4.0 Environment"", 《2020 IEEE 18TH INTERNATIONAL CONFERENCE ON INDUSTRIAL INFORMATICS (INDIN)》 * |
| 柴森春,张译霖,马宝罗: ""面向MES的工业互联网标识数据互通系统设计"", 《信息通信技术与政策》 * |
| 邓勇杰: ""基于改进灰色理论的网络安全态势预测方法研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407687A (en) * | 2021-06-04 | 2021-09-17 | 海南师范大学 | Natural language processing equipment based on artificial intelligence |
| CN113407687B (en) * | 2021-06-04 | 2022-06-07 | 海南师范大学 | An artificial intelligence-based natural language processing device |
| CN114615016A (en) * | 2022-02-09 | 2022-06-10 | 广东能源集团科学技术研究院有限公司 | Enterprise network security assessment method and device, mobile terminal and storage medium |
| CN114615016B (en) * | 2022-02-09 | 2023-08-01 | 广东能源集团科学技术研究院有限公司 | Enterprise network security assessment method and device, mobile terminal and storage medium |
| CN115242423A (en) * | 2022-05-25 | 2022-10-25 | 中国交通信息科技集团有限公司 | Industrial internet security situation display system |
| CN114771107A (en) * | 2022-06-22 | 2022-07-22 | 佛山豪德数控机械有限公司 | Ink jet numbering machine system of distinguishable sign indicating number position for intelligent manufacturing production line |
| CN119052160A (en) * | 2024-10-23 | 2024-11-29 | 证通股份有限公司 | Method, apparatus, storage medium and program product for secure routing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112511351B (en) | 2021-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112511351B (en) | Security situation prediction method and system based on MES identification data intercommunication system | |
| CN102098180B (en) | Network security situational awareness method | |
| EP2936772B1 (en) | Network security management | |
| CN111669384B (en) | Malicious flow detection method integrating deep neural network and hierarchical attention mechanism | |
| CN117375985A (en) | Method and device for determining security risk index, storage medium and electronic device | |
| CN115691044A (en) | A dynamic risk assessment and early warning method, system and device | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| CN118972162B (en) | Network resource access control method and system based on identity authentication and port perception | |
| CN117807590B (en) | Information security prediction and monitoring system and method based on artificial intelligence | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| CN112383525A (en) | Industrial internet security situation evaluation method with high evaluation level and accuracy | |
| CN115442159B (en) | Household routing-based risk management and control method, system and storage medium | |
| CN117407800A (en) | A social media robot detection method and system based on random forest and XGBoost model | |
| CN116302809A (en) | Edge data analysis computing device | |
| Protic et al. | WK-FNN design for detection of anomalies in the computer network traffic | |
| CN118842660B (en) | Network security threat detection method and system based on artificial intelligence | |
| CN112866278B (en) | Computer network information safety protection system based on big data | |
| CN112528325B (en) | Data information security processing method and system | |
| Qu et al. | A network security situation evaluation method based on DS evidence theory | |
| CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
| Salazar et al. | Monitoring approaches for security and safety analysis: Application to a load position system | |
| CN116743503B (en) | Health evaluation method based on industrial control asset | |
| CN119766491A (en) | An Internet data security monitoring system based on big data | |
| CN119094149A (en) | A network traffic threat detection method based on artificial intelligence model | |
| CN119835059A (en) | Power plant network security quantitative analysis processing method and system based on big data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |